Quote:
Originally Posted by cjmiller2  Were you able to solve these issues with Group policy over the VPN |
Yes we were. As per my original post we had to disable the ICMP NULL and ICMP Oversize options on the Edge. That would allow us to bind PCs into Active Directory and do domain logins. To get the domain policies to work we had to fiddle with Window's "slow link detection" code.
I'm not a Windows expert. One of my team figured out the necessary runes, but as I understand it when communicating with AD for group policy the PC will try various types of ping and based on the response time will decide whether it is a "slow" link or not. Now the fact that two of the attempted ping types are NULL and oversized the Edge drops them so Windows thinks it is a slow link. Just disabling the SmartDashboard ping rules wasn't enough. We needed to mod some reg keys to get a group policy download. Once that was in place we had the same reg keys in the login scrips for the users on that site and that has kept things working reliably.
We have 7 VPN-1 Pros and 2 Edges. The Edges are on the small sites (6 & 2 people) so didn't warrant a local AD box so we never saw this issue until we deployed the Edges.
Apply these, reboot and then you should be running
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows\System]
"GroupPolicyMinTransferRate"=dword:00000000
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System]
"GroupPolicyMinTransferRate"=dword:00000000
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Wind ows\System]
"PingBufferSize"=dword:00000500
There is an easy way to test this. If you run 'gpresult' in a command prompt before applying the key you should get an error about RSOP data if logged in as a domain user. Once you've applied that key & rebooted for the current user you should get a dump of the policy settings for that user.
Since 2 of the keys are for the current user you'll have to put these in the login scripts for the users behind the Edge.
Hope this helps
Neil.